| |
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys BEFV P41
- To: [email protected]
- Subject: Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys BEFV P41
- From: Steve McNutt <[email protected]>
- Date: Tue, 21 May 2002 12:31:30 -0400
- Reply-to: Mailing list for discussion of Firewall-1 <[email protected]>
- Sender: Mailing list for discussion of Firewall-1 <[email protected]>
- Thread-index: AcIA4g/FgJRQEa4PR2eLv2lM1P60xQAAZuVg
- Thread-topic: Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys BEFV P41
Are you pinging the linksys box from the firewall or are you using
machines behind the two as test points? If the latter, it sounds like a
NAT problem. Your log should not show src+dst as the addresses of the
firewalls.
Did you double check your NAT rules to make sure that you have two rules
that prevents natting between the local and remote nework objects? I am
assuming that you are dealing with non-overlapping private network
numbers of course.
Just a guess, HTH.
Steven McNutt, CCIE #6495, CCSE, MCSE
President
LightningCloud Technologies
bus:cel:[email protected]
-----Original Message-----
From: Kinsey, Brian A. [mailto:[email protected]]
Sent: Tuesday, May 21, 2002 10:49 AM
To: [email protected]
Subject: Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys
BEFV P41
Yes, I have IPSec_cluster_nat = true for all my firewall objects and my
Cluster Objects, but I still can't get the VPN to terminate on the VRRP
address. I assume that this is what you were saying was "posted less
than 2 weeks ago" as it is all I can find in the list archives or on
Phoneboy.
Any further help on this would be wonderful, BUT...
My main problem, which I see no info in the archives or on Phoneboy
about, is the first issue. Even when I terminate the VPN at the actual
Firewall IP address (not the virtual IP), I cannot communicate across
the tunnel. Both sides show the tunnel as active, but when I try to ping
across, I get the following in my Checkpoint logs:
Source = firewall external IP
Destination = Linksys external IP
Action = Drop
Info = icmp-type 3 icmp-code 2 message_info ICMP packet out of state
I can't find anything that tells me why I would be getting these Port
Unreachables from my Checkpoint firewall, or why it would be out of
state.
-----Original Message-----
From: Don [mailto:[email protected]]
Sent: Thursday, May 16, 2002 3:15 PM
To: [email protected]
Subject: Re: [FW-1] VPN Question - ICMP Packet Out of State - Linksys
BEFVP41
> I am trying to set up a VPN between my NG FP1 FW and a Linksys
> BEFVP41. I see the key installs in my log, and the Linksys shows the
> Status as Connected, but I cannot access machines across the tunnel.
> When I try to ping from a machine behind the Linksys to a machine
> inside my firewall, I get request timed out. In my firewall log, I see
> the following:
>
> Source = firewall external IP
> Destination = Linksys external IP
> Action = Drop
> Info = icmp-type 3 icmp-code 2 message_info ICMP packet out of state
>
>
> Also, my firewalls are Nokias with VRRP (monitored circuit). If I
> enter
the
> virtual external address of my firewalls into the Remote Security
> Gateway field on the Linksys, I don't even get the key installs. I
> have to enter
the
> actual IPs of one of the firewalls for it to get that far. Any ideas
> as to why I can't terminate my VPNs to the virtual IP?
=================================================
To set vacation, Out Of Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================
|
|
